CVE-2015-9097 (mail): CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses

December 9th, 2015

ADVISORIES

CVE-2015-9097 (NVD)
GHSA-q86f-fmqf-qrf6
OSVDB-131677
Vendor Advisory

GEM

mail

SEVERITY

CVSS v3.x: 6.1 (Medium)

PATCHED VERSIONS

>= 2.5.5

DESCRIPTION

The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

http://www.mbsd.jp/Whitepaper/smtpi.pdf
https://github.com/mikel/mail/pull/1097

RubySec

CVE-2015-9097 (mail): CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories